Corporate domain - False detection of logon script

[Mefesto44]

I just deployed MBAR across my domain after running it independently on a few machines.  The independent machines ran just fine, no issues for a week or so, and I decided to deploy it through my RMM tool silently to all end user workstations.  The deploy with the silent switches worked flawlessly.  However I got a call this morning that one of my staff members had a detection this morning.  Boy, I was feeling like the luckiest guy in the world with the timely install and detection catch, but I came to find out that it was detecting my Kixtart logon script executing from our AD sever (which in turn prevents the user from logging in since the script hangs and terminating the script logs the user off).  I tried to go into exclusions and add the actual file in question but no dice... it would still detect it on logon.  Oddly enough, it's only for this one user so far (out of 100 or so).

Any ideas?  I have two AD servers so I added the detection path to both servers to the exclusion list.  I have since turned off protection for this one user.  

Screenshots attached.

[Mefesto44]

I was not sure if you needed me to zip up the WKIX32.EXE or not.  Here it is just in case.

WKIX32.zip

[1PW]

Hello Mefesto44 and

Unfortunately, it appears as if there has been a misunderstanding.  Due to the fact that the MBARW Beta testing project is in the earliest phases of Beta, the use of MBARW Beta in any commercial/enterprise/production environment is strongly discouraged at this time.

If you would like assistance in achieving a successful uninstall of MBARW Beta, please advise in a reply to this topic.  Thank you for your interest in MBARW Beta testing project and your continued patience and understanding.

[Mefesto44]

What a shame, but understandable.  This is the environment where this kind of theft is most destructive.  I was excited to hear about Malwarebytes developing this program since you all have a high standard of performance and reliability.  Please make sure to let us know when your product is available for purchase and roll out to corporate and Healthcare environments.  Our patient data and privacy is of the utmost importance.

[1PW]

Hello Mefesto44:

Rathar than run the risk of inaccurately paraphrasing, It might be best if you read the first two posts in the first locked/pinned thread in this sub-forum.

Reference: https://forums.malwarebytes.org/topic/177751-introducing-malwarebytes-anti-ransomware-beta/

Thank you again.

 

[Mefesto44]

Do you have the silent uninstall switches for unattended uninstall?

[1PW]

Hello Mefesto44:

It is best if a MBARW Beta development team member answers your question as I am uncertain which, if any, Inno switches were baked into Beta6.

I have forwarded your query.

Thank you for your patience and understanding.

Edited May 31, 2016 by 1PW

[David H. Lipman]

It didn't flag the Login Script ( usually .KIX ), it flagged the Script Interpreter, KiXtart.

Ron ( AdvancedSetup ) and my favourite script interpreter.

 

[AdvancedSetup]

I've reported it to the team. Thanks

 

[AdvancedSetup]

Team has requested the following please.

https://forums.malwarebytes.org/topic/177810-how-to-report-a-false-positive/

Thanks

 

[OriSei]

Greetings Mefesto44!

Thanks for taking the time to test the ARW beta.

I'm a member of the dev team and I would like to take a look at what has happened in the scenario you described. Please follow the steps described in How to report a false positive in the machine where this issue happened.

OriSei

[Mefesto44]

I just stepped out today on vacation.  I will be back in the office on Wednesday.  I will upload the requested info then.  Thank you so much!